Can We Catch Phone Scammers by Their Audio Fingerprints?

Your voice isn't the only thing coming through during a phone call. Background noise, tiny breaks in the call, and other tiny clues can tell security experts where you're calling from and even what service you might be using.

Pindrop Security has a new way of beating the phone scammers who prey on banks and other institutions: by identifying the audio fingerprint of a phone call. Called "phoneprinting," this software solution uses elements of an audio signal to determine the type of device being used, its location, and whether the person on the other end is for real.

Caller ID may have been pretty advanced for the 1990s, but nowadays, it is easy to fool. And the verification questions a bank rep will ask over the phone to make sure you're really who you purport to be are not exactly the locks on Fort Knox—the answers can be obtained from personal information stolen and purchased online for as little as five dollars.

Pindrop CEO Vijay Balasubramaniyan says that phoneprinting can determine within 20 seconds whether a call is fraudulent by analyzing 147 features within the audio signal. For example, it looks at the imperceptible breaks in a call for signs of VoIP (voice over IP) packet loss; depending on factors such as the duration of the break, it knows whether the caller is using Skype, Google Talk, or some other system. Noise also offers clues. Old-style copper fiber absorbs the ambient noise of co-located electrical lines, while digital devices play algorithmically generated "comfort noise" to reassure users that the line is live.

Then there is the human voice. Because the voice tends to be a "bandwidth hog," it is never played with its full tonality during a phone call. In fact, different telecommunications technologies in different countries will filter out different frequencies in the human voice. For instance, Balasubramaniyan says, landline calls from India will be limited to 150-2500 hertz "because the telecommunications infrastructure in India is less developed so they use more aggressive frequency filters."

How much information can you glean from these clues? The initial Pindrop Security solution could narrow down a call's point of origin to regions the size of France, but a newer version of the system shows dramatically improved capabilities. "What we've seen right now with our research, we're able to identify… a city," Balasubramaniyan says. "We're now rolling that out slowly across our customers."

In some cases, that's good enough. Balasubramaniyan recalls a recent case in which phoneprinting protected someone's life savings. It was a Saturday night, when call center employees are not at their most vigilant, and the caller was trying to transfer $97,000 from one bank to another. The caller knew all the answers to the identity questions associated with the account, but the system still detected fraud: The account holder lived in San Francisco, but "the call was actually coming from a Skype phone in Nigeria, so we knew that something was wrong," he says. "The customer never left a travel note saying that he was traveling in Nigeria." The wire transfer never went through, and the bank verified with the account holder that he was still, in fact, in San Francisco.

This kind of fraud is so common now that companies have been devising all kinds of defenses. Each, however, comes with its own drawbacks. Some systems authenticate a caller's number and device based on personal information gathered from telephone companies. The problem here is that the cooperation of a carrier is not always forthcoming. "There are many cases where the carrier doesn't have this information, especially when you have Voice over IP devices set up anywhere in the world," Balasubramaniyan says.

Some solutions use biometrics to catch fake callers. The idea is to first get a voiceprint of fraudster, store it in data bank, and then match it up against future calls. But for this to work, you still need that first hit. Additionally, the crook can evade biometrics by distorting his voice or by enlisting multiple confederates. "The fraudsters identify the blind spots and hide in those blind spots," he says.

Over the coming months, Pindrop wants to work with carrier networks to incorporate its solution into a sort of next generation of Caller ID. "The next stage is to actually build a system of reputation," Balasubramaniyan says.

A Part of Hearst Digital Media
Popular Mechanics participates in various affiliate marketing programs, which means we may get paid commissions on editorially chosen products purchased through our links to retailer sites.